1Password is all about bringing convenience to security. Of course, there are always challenges to overcome. On Android, one particular challenge we have been working on is how to make it both secure and convenient for you to use your login credentials. Until recently, your options for filling these credentials were limited to either using the 1Browser built into 1Password or using the clipboard to copy and paste.

While 1Browser helps you fill your login credentials into your favorite sites, it probably isn’t as fully featured as your favorite browser. 1Browser also isn’t much help when you want to use your login credentials to sign into an app. In these situations, you were previously limited to using copy and paste to get your login information out of 1Password and into that browser or app. Unfortunately, using the clipboard for this purpose is not at all convenient, and as we have mentioned before, not particularly secure.

Something better

When evaluating ways to provide a Login filling solution, we wanted to address the following concerns:

It needed to be more secure and more convenient than using the clipboard.

It needed to provide login filling for both third-party apps and browsers.

In order to make this happen, we needed to implement a service that could detect login fields when displayed in apps and browsers, and insert text directly into those fields. So, we split this functionality across two different services: the 1Password Automatic Filling service detects login fields and gives them focus when appropriate, while the 1Password Keyboard displays the interface for selecting the right Login and sends the credentials for that Login to the appropriate text fields.

Login detection

The first step in filling your credentials is determining when there is a login form on screen that 1Password can fill into. To do this, we take advantage of the Accessibility APIs included in Android to get information about the elements displayed on screen in the form of an AccessibilityEvent.

Our implementation of the 1Password Automatic Filling service starts with this callback:

The onAccessibilityEvent callback is fired whenever a user interface event occurs for which we have registered. In our case, we are interested in events which indicate that the elements on the screen have changed. In particular, we register to receive typeViewFocused, typeWindowStateChanged, and typeWindowContentChanged events. By monitoring these events, we can keep an eye out for potential login screens or other opportunities for 1Password to fill.

When the callback is fired for one of these events, our next step is to see if we can identify login fields on the updated screen. We can determine which user interface elements are displayed on screen by invoking AccessibilityEvent.getRootInActiveWindow(). From the root AccessibilityNodeInfo object returned by this method, we can obtain information about all the user interface elements displayed in the active window. In particular, we look for arrangements of text fields matching the pattern for login entry. Once login fields have been identified, the 1Password Keyboard is notified that automatic filling is available. The keyboard is also passed the package name of the application or the URL of the website in which the login fields were detected.

Login selection

Keyboards on Android are built upon the InputMethodService APIs provided by the OS and, in this sense, the 1Password Keyboard is similar to other third-party keyboards. However, the benefit of creating a custom keyboard is that it can be tweaked to do a whole lot more than simple text entry. In the case of 1Password, our keyboard also allows you to view and select the Login items contained in your vault. When you tap the 1Password button on the keyboard, we expand the keyboard to full screen in order to display a list of relevant Logins.

If the 1Password Keyboard has been notified that automatic filling is available, it will look at the package name or URL provided by the 1Password Automatic Filling service and attempt to match it with the Logins contained in your vault. We display any matching Logins and offer the ability to browse for additional logins when appropriate. From here, you can tap on a Login to select it for filling.

Login filling

Once you have selected the appropriate Login for filling, the 1Password Keyboard exits fullscreen mode and once again shows the keyboard keys. You will now see two buttons displayed above the keyboard for filling the username and password corresponding to the selected Login. These buttons provide the ability to manually fill Login credentials in those instances when the 1Password Automatic Filling service isn’t enabled or when it doesn’t correctly identify the login fields in question.

However, when the 1Password Automatic Filling service is enabled and has detected the login fields, the 1Password Keyboard will do all of that work for you. The keyboard asks the 1Password Automatic Filling service to select the appropriate login fields by invoking:

Once each login field has been focused by the 1Password Automatic Filling service, the 1Password Keyboard is notified. It then inputs the username or password text directly into that field. Once this is done, all that is required of you is to tap the “Sign In” button.

Security and convenience

By combining the 1Password Keyboard with the 1Password Automatic Filling service, we are able to provide a filling solution that avoids use of the clipboard entirely and doesn’t rely on passing your credentials through a third party. Whether you use the 1Password Keyboard as your main keyboard or in addition to your favorite keyboard, securely filling Logins into apps and browsers is only a couple of taps away.

If you would like to read more about enabling the 1Password Keyboard and Automatic Filling service on your Android device, please see our helpful documentation.

I should add that we do have the 1Password extension which works in Safari and in many third-party iOS apps. If the apps you use haven’t added access to our extension yet, you can send them to https://agilebits.com/onepassword/devoutreach and encourage them to add it.

Hey. I have a question. Is there any way we can “help” 1password find a match for an apps’ package name?
For example, 1password doesn’t know that the package “com.infonow.bofa” corresponds to bank of america. Can I add any metadata to my login item to help the app figure that ou?

In this particular case, the answer is no. Well, you could add “infonow.com” to that 1Password item’s list of URLs (since we do a reverse lookup of the package name), but this could cause confusion if you have an actual “infonow.com” item in 1Password, either now or in the future.

It’s not something that’s planned right now, but I’ll be happy to pass your suggestion along to our developers (although I can’t promise anything). For now, though, a long press of the spacebar will allow you to switch back to your keyboard.

Yeah, I know how to switch it back, but after the login the keyboard is gone. So I have to switch back at some later point, which is super annoying especially when I’m on the go and just quickly want to answer a text.

Hey Agile Bit-ers, great product. Love it and opted for 1Pass over Lastpass for a few reasons.

Is it possible and on the product timeline to do as Lastpass does for autofilling? I don’t know how to describe it, but it doesn’t require switching keyboards – their application uses Android’s accessibility functionalities to somehow monitor on-screen items and automatically identify where a password fill might be needed.

Hi, Prescott! Thanks for taking the time to read our blog post, and for your kind words about 1Password. That’s a great question. Our early approach to filling worked in a similar manner, but presented some technical limitations and less widespread support for a variety of Android OS versions. You can read more about the implementation and why we decided to make changes in our discussion forums.